Ships are riddled with malware and viruses, and owners are unaware of these dangers, according to a security expert. Investigators going on ships and offshore assets, including mobile rigs and drillships, have found viral infections in onboard IT networks and computers.

NCC Group senior advisor Tim Rawlins said these viruses often infect ship computers through the crew’s use of memory sticks. “We are yet to find a ship that does not have malware on board when we investigate it,” he said, adding that shipowners and managers should conduct audits of IT systems to identify infected computers and deal with the infections.

He said shipping companies should encourage good IT hygiene by training seafarers and shore staff to reduce the spread of viruses. “Everyone uses memory sticks to move data around, to update navigation equipment and system management set-ups,” he explained at Navigate’s Smart Solutions conference in London in May.

“But a virus could go on the stick and then compromise the main terminal and then other people’s computers. Crew should be given cyber security training to prevent the spread of infections.” Cyber security training should also be spread to vendors and agents, as anyone coming onto a ship in port could compromise ship networks.

"Crew should be given cyber security training to prevent the spread of infections"

Firewalls may prevent malware from entering a ship network over the satellite link and regularly updated antivirus software could clean up infected systems. Mr Rawlins said low bandwidth on the uplink to satellites from ships could be saving many from malware activity.

“Malware on ships tries to signal out from the ship to request action commands from a host server,” he explained. “But the signal cannot get through because of the bandwidth limitations.” However, as shipowners increase the connectivity capacity between ships and shore, the signals may get through more frequently, Mr Rawlins warned.

He said malware has damaged IT networks on offshore drilling rigs in the past, adding: “One rig was out of action for 17 days because of malware.” Cyber malware has also attacked port infrastructure. Mr Rawlins said the Port of Antwerp had its systems compromised by criminals who wanted to smuggle cocaine in containers. At that time, the criminals also compromised customs computers and re-organised transport movements. “Port of Antwerp systems were compromised and this is not the only port to have problems,” he explained.

Shipping company top executives have been targeted by criminal e-mails requesting bank transfers and brokers have been hacked. Mr Rawlins said these were through whaling attacks that deliberately target high earners in companies.

Hackers could also compromise ship bridge equipment to navigate a ship to the wrong location. “Hackers can spoof GPS and identification systems by using a powerful signal to swamp the onboard equipment,” he said. The new signal can pilot ships away from their designated routes by misguiding the positioning instruments.

"Hackers can spoof GPS and identification systems by using a powerful signal to swamp the onboard equipment"

To prevent malware infections and hackers, shipping companies should train staff and seafarers, re-assess their firewalls, keep antivirus software updated and conduct risk and system vulnerability analysis, said Mr Rawlins.

Shipowners could also install kernel level filter technology, such as Abatis. This protects networks from all types of malware by blocking virus executable files. Abatis is a small piece of code that sits inside the kernel of the operating system software. Everything has to go through this code to reach the permanent storage.

It would prevent any malware from writing to this storage, said Abatis chief executive Kerry Davies. “All malware is a program or binary executable object that can do damage to systems,” he explained. “It tries to write to the permanent storage in order to gain persistence – to be able to do its damage for as long as possible.”

This would mean any network on which Abatis was installed would be protected. “It can stop any malware even if it has not seen it before, such as zero-day attacks. It will not let any new binary programs get to the permanent storage,” said Mr Davies.

The technology works on any Windows or Linux operating systems including legacy ones. There is a policy engine to define what applications are allowed to update automatically. Abatis can be deployed in real, virtual and embedded operating systems, or Scada (supervisory control and data acquisition) systems. For networks with programmable logic controllers, Abatis protects the management control device.

Abatis software has three modes of operation: learn, block and audit. “The learn mode records what it could have blocked if it was in the block mode, but does not actually block it,” Mr Davies explained. “This enables a risk-free roll-out of the software into any environment.” It tells people what has gone through and what that malware affected.

The audit mode records all the input and output devices on a system, producing a log for forensic analysis. “With our software, managers can turn off all updates to a ship network until the vessel comes into port, saving broadband costs and stopping infections,” Mr Davies added.

Some of the cyber threats and protection technologies will be discussed at Riviera’s European Maritime Cyber Risk Management Summit, which will be held in London in association with Norton Rose Fulbright on 20 June.